Threat Analysis based Software Security Testing for preventing the Attacks to Incapacitate Security Features of Information Security Systems |
Kim, Dongjin
(Dankook University)
Jeong, Youn-Sik (Dankook University) Yun, Gwangyeul (Dankook University) Yoo, Haeyoung (Dankook University) Cho, Seong-Je (Dankook University) Kim, Giyoun (A3SECURITY) Lee, Jinyoung (Korea Internet Security Agency) Kim, Hong-Geun (Korea Internet Security Agency) Lee, Taeseung (Sungkyunkwan University) Lim, Jae-Myung (Korea Internet Security Agency) Won, Dongho (Sungkyunkwan University) |
1 | Gartner, "Now is the time for security at Application Level," Dec. 2005. |
2 | G. McGraw, "Software assurance for security," IEEE Computer, vol. 32, pp. 103-105, Apr. 1999. DOI ScienceOn |
3 | G. McGraw and B. Potter, "Software Security Testing," IEEE Security and Privacy, Vol.2, pp.81-85, Sep. 2004. |
4 | B. Arkin, S. Stender and G. McGraw, "Software penetration testing," IEEE Security & Privacy, vol.3, pp. 84-87, Jan. 2005. |
5 | D.P. Gilliam , T.L. Wolfe, J.S. Sherif and M. Bishop, "Software Security Checklist for the Software Life Cycle," Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 243, Jun. 2003. |
6 | X. Zhang, L. Shao and J. Zheng, "A Novel Method of Software Vulnerability Detection based on Fuzzing Technique," Proceedings of the 2008 International Conference on Apperceiving Computing and Intelligence Analysis : ICACIA 2008, pp. 270-273, Dec. 2008. |
7 | V. Ganesh, T. Leek and M. Rinard, "Taint-based directed whitebox fuzzing," Proceedings of the 2009 International Conference on Software Engineering : ICSE 2009, pp. 474-484, May 2009. |
8 | D. Thiel, "Exposing Vulnerabilities in Media Software," Tech. Rep., BlackHat USA, Jul. 2007. |
9 | D. Kim and S. Cho, "Fuzzing-based Vulnerability Analysis for Multimedia Players," Journal of KIISE : Computing Practices and Letters, vol.17, no.2, Feb. 2011.(in Korean) |
10 | CVSS(Common Vulnerability Scoring System) home page: http://www.first. org/cvss |
11 | CWSS(Common Weakness Scoring System) home page: http://cwe.mitre.org/ cwss/ |
12 | CVE(Common Vulnerabilities Enumeration) home page: http://cve.mitre.org/ |
13 | CWE(Common Weakness Enumeration) home page: http://cwe.mitre.org/ |
14 | Common Criteria, "Common Criteria for Information Technology Security Evaluation- Part 3: Security assurance components, Version 3.1," Sep. 2007. |
15 | K. Bang, I. Kim, J. Lee, J. Lee and J. Choi, "Classification Criteria and Application Methodology for Evaluating IT Security Products," Journal of Korea Knowledge Information Technology Society, vol.6, no.5, Oct. 2011. (in K-orean) |
16 | D. Kim and S. Cho, "An Analysis of Domestic and Foreign Security Vulnerability Management Systems based on a National Vulnerability Database," Journal of Internet and Information Security, vol.1, no.2, pp. 130-147, Nov. 2010. (in Korean) |
17 | Fortify Software, Inc. home page: http://www.fortify.com |
18 | J.A. Kupsch, B.P. Miller, E. Heymann and E. Cesar, "First Principles Vulnerability Assessment," Proceedings of the 2010 ACM workshop on Cloud computing security workshop, pp. 87-92, Oct. 2010. |
19 | Y. Son, "A Study on Software Vulnerability of Programming Languages Interoperability," Proceedings of the Advanced Computer Science and Information Technology Communications in Computer and Information Science, vol.195, pp. 123-131, Sep. 2011. |
20 | D. Kim, D. Seo, W. Yi and S. Cho, "An Efficient Vulnerability Management System for Utilization of New Information Technologies-related Security Vulnerabilities," Proceedings of the 37th KIISE Fall Conference, vol.37, no.2(B), pp. 66-71, Nov. 2010. (in Korean) |
21 | G. Kim and S. Cho, "Fuzzing of Web Application Server Using Known Vulnerability Information and Its Verification," Proceedings of the KIISE Korea Computer Congress 2011, vol.38, no.1(B), pp. 181-184, Jun. 2011. (in Korean) |
22 | 보안뉴스, "디아블로3 사용자 계정 탈취용 악성파일 국내 등장," 호애진, 2012년 06월 - web site: http://www.boannews.com/media/view .asp?idx=31582 |
23 | SANS Institute Reading Room web page: http://www.sans.org/reading_room |
24 | "Practical Threat Analysis for Information Security Experts," web page: http://www.ptatechnologies.com |
25 | NVD(National Vulnerability Database) home page: http://nvd.nist.gov/ |
26 | Anti-Malware Test Lab. home page: http://www.anti-malware-test.com/?q =taxonomy/term/16 |
27 | C.S. Collberg and C. Thomborson, "Watermarking, tamper-proofing, and obfuscation - tools for software protection," IEEE Transactions on Software Engineering, vol.28, pp. 735-746, Aug. 2002. DOI ScienceOn |
28 | M. Bauer, "New covert channels in HTTP: adding unwitting Web browsers to anonymity sets," Proceedings of the 2003 ACM workshop on Privacy in the electronic society, pp. 72-78, Oct. 2003. |
29 | M. Kim, J. Lee, H. Chang, S. Cho, Y. Park, M. Park and P.A. Wilsey, "Design and Performance Evaluation of Binary Code Packing for Protecting Embedded Software against Reverse Engineering," Proceedings of the IEEE International Symposium on Object/Component/ Service-Oriented Real-Time Distributed Computing 2010, pp. 80-86, May 2010. |
30 | S. Jana and V. Shmatikov, "Abusing file processing in malware detectors for fun and profit," Proceedings of the IEEE Symposium on Security and Privacy 2012, pp. 80-94, May 2012. |
31 | S. J. Murdoch and S. Lewis, "Embedding covert channels into TCP/IP," Proceedings of the 7th international conference on Information Hiding 2005, pp. 247-261, Jul. 2005. |
32 | C. Seifert, P. Komisarczuk and I. Welch, "True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots," in Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 63-69, Jun. 2009. |
33 | SecurityFocus home page: http://www.securityfocus.com/ |
34 | Process Explorer home page: http://technet.microsoft.com/en-us/sysintern als/bb896653.aspx |
35 | Windows Sysinternals Suite home page: http://technet.microsoft.com/en-us/sysinternals/bb842062 |